This article was published on May 22, 2017

Why privacy policies are just sophisticated traps


Why privacy policies are just sophisticated traps

In all great magic tricks, it is misdirection that convinces the audience that something magical took place. You can say the same for the privacy policies of various tech companies as it’s like a mirage where you think that your privacy is safe and secure but it’s far from it.

Privacy policy is an important piece of document that most of us gloss over or decide not to read at all. According to Mikko Hypponen, the Chief Research Officer (CRO) at F-Secure, “It doesn’t matter what it says in the policy. Nobody reads them.” Every educated internet user should know how the companies or products with which we interact on a regular basis – collects and shares information about us.    

However, internet users are not entirely at fault. Finding the privacy policy can be like a hide and seek game as many companies place their privacy policy in the far distant corner of their websites, usually buried in the footer at the very bottom of their pages.

Moreover, if someone actually reaches the destination of the privacy policy, chances are that they won’t fully understand its contents. You will notice that several tech firms like to use technical and complex legal jargon that often confuses the reader even further rather than educating them.

If that’s not all, the enormous length of the document is enough to push away most avid of readers. Likewise, you still have to be cautious of different clauses as they can be misleading and contradict with other clauses stated in the privacy policy. With clouding phrases like ‘helping improve user experience’ or ‘communicating about our services’ often mean sharing your data with third parties, advertisers, affiliates, and governmental agencies, which can be troublesome.      

The way companies use privacy policy to collect personal information

Machine learning is the next frontier for many tech companies. With growing emphasis on artificial intelligence, you can imagine how different services will collect data about your activities and online behavior.

Evernote

The most recent case involving Evernote’s privacy policy shows the gravity of this issue. Earlier in December 2016, Evernote proposed changes to its privacy policy, which would allow machine learning to use your data and enable its employees to read user’s notes to ensure that machine learning is functioning properly.

Evernote said that these changes were to “help you get the most out of your Evernote experience.” This sparked great backlash among its users, causing Evernote to take back the proposed changes. They even inserted a clause at the very top of their privacy policy for not implementing these changes.

However, don’t be fooled that Evernote’s employees won’t be reading your notes. It now gives its users the option to opt in to making their notes available for reading. This leads to another problem. Since most users don’t read the Privacy Policy and End User License Agreements (EULA) while downloading the application, they may be allowing Evernote to read their notes inadvertently.     

Microsoft

Microsoft is another tech giant that collects information from multiple sources for machine learning. With an integrated approach, you are virtually handing over your data to Microsoft. Their privacy policy clearly states that every interaction you make with its software or hardware, be it creating a new Microsoft account, entering a search term on Bing, seeking help from Cortana, or contacting their customer support, it will record your data.

The motive behind collecting enormous amounts of information from consumers was expressed by Microsoft’s CEO, Satya Nadella. On the day of his appointment, he sent out an email to all the employees, explaining that in the coming decade, every aspect from our life, business and world would be digitized. To achieve this feat, he stated, “This will be made possible by an ever-growing network of connected devices, incredible computing capacity from the cloud, insights from big data, and intelligence from machine learning.”

What this means is that Microsoft will go to great lengths to access your personal information. Insights from big data and intelligence from machine learning are only possible once Microsoft has knowledge about your online behavior. The worrying factor is that during the Prism fiasco, NSA collaborated with internet giants (including Microsoft) to tap into users search history, emails, live chats, transferred documents, communications, and much more. You can only imagine how many similar illegal surveillance programs are lurking in the shadows that no one has blown the whistle on yet.

Windows 10 is the latest example of how much information you are surrendering to Microsoft. Even if you turn off features such as Cortana and Bing search, Windows 10 still sends identifiable information about you to Microsoft. Similarly, you cannot select which upgrades to install, as Microsoft imposes them forcibly on Windows 10 users; which is a problem in itself because the updates sometimes cause problems to the end users who are then stuck until hotfixes are issued.

Data havens protected by dubious privacy policies

While Microsoft and Evernote are working towards machine learning and collecting piles of personal data, other tech companies are not far behind. If we look at various social media services, the wealth of personal data available on such platforms is unparalleled.   

Facebook

Take the case of Facebook – the juggernaut of social media services. Facebook’s privacy policy shows a catalogue of contents it will record and use from its users. Some of the data includes your account information, your communication with others, pictures or videos you share or upload, access to your phonebook, and any payment information you submit on Facebook.

The list becomes even darker if you go into the details. To illustrate one of the points, Facebook collects your device information, including specific geographic locations. It tracks you through GPS, Bluetooth or Wi-Fi signals. The average user trades all this personal information just so that they can talk to their friends and post photos online while being heavily targeted by advertisements.

There are various reported cases of user accounts being temporarily blocked by Facebook when accessed from another city or country. You would have to provide a government issued ID for verification and have your account unlocked. There is no safeguard as to what Facebook does with your ID and the sensitive information within, as there are no clauses in the Privacy Policy addressing this concern at all.

Snapchat

Snapchat is another social app with a rather dubious privacy policy. One of the clauses in Snapchat’s privacy policy states that it will collect images and other information from your phone’s camera and photos. This gives Snapchat irrepressible freedom to access your phone and retrieve other information that you might be oblivious to.     

Snapchat further mentions that the Snaps will delete automatically from its servers once it has detected that all recipients have opened the Snap. However, this is circumstantial. Snapchat may decide to keep the contents of your Snaps for longer periods if it deems necessary and would share such data among Snap Inc. family of companies. Ironic, considering that the very reason people use the app is for the disposable nature of the media you create with it.

Using EULA to enforce privacy policy

With tech companies explicitly stating the information they will record and use in their privacy policy, it’s time to compel the users to agree to these policies. One of the ways to achieve this is by using an End User License Agreement (EULA). It is a legal agreement between the tech company and the consumer, granting the user the right to use the service. Different companies use terms of service (TOS), terms of use (TOU), user agreement, license terms, and member agreement synonymously with EULA.

EULA share the same problem as privacy policies – they are lengthy documents to read. This gives tech firms the opportunity to conceal doubtful clauses in their EULA, masking it from the naked eyes of users. It also allows firms to manipulate users into giving up more personal information than they should.

“If they [tech companies] want to do bad stuff, it’s easy to hide a permission for that in a long and complex EULA,” said Mikko Hypponen when I inquired him about this issue.

Click-wrap and browser-wrap EULA

Likewise, if you don’t accept the terms of EULA, you won’t be able to use the software on your chosen device. The situation gets worse if you have already paid for a software or app and then presented with a EULA. Various software companies present their EULA at the time of purchase, but we tend to ignore such documents.  

This underlying problem is because most EULA’s are click-wrap or browser-wrap in nature. Click-wrap EULA are agreements presented during installation process of a software or an app. You must have come across an installation step where you would have to click ‘I agree’ or check an ‘I agree to terms’ checkbox to continue the installation. Here’s what Microsoft Windows 10 EULA looks like while installing:

On the other hand, browser-wrap licenses are applicable on websites or services where you need access to use certain material. Under browser-wrap licenses, a user doesn’t have to click on an ‘I agree’ box to accepts the terms and conditions. The main criticism of click-wraps and browser-wrap licenses are that they tend to give little time to users for reviewing the licensing agreements, which is often true.

Users are more vulnerable to browser-wrap agreements, as they are located as hyperlinks somewhere on the website. Throughout history, there are many court cases highlighting the perils of browser-wrap terms of agreement.

Consider the case of Zappos, which lost because of improper presentation of browser-wrap EULA. In 2012, Zappos announced a massive data breach that affected over 24 million users. Swarmed with numerous lawsuits by consumers, Zappos send the lawsuits to arbitration based on a clause stated in its EULA. Sadly, a Federal court ruled against Zappos and turned down its arbitration requests.

According to the ruling, Zappos buries its EULA deep in the middle to bottom of every webpage among numerous other links. This gives no reasonable motive for a user to click on the Terms of Use (or EULA). In addition, Zappos had stated that it reserved the right to change these terms and conditions at any given time. This would imply that Zappos could also amend the arbitration clause. Keeping these clauses in view, the court rejected Zappos EULA as unenforceable.

The next step for defining privacy policies and EULA’s

With all the heated court battles and concerns raised by privacy enthusiasts regarding privacy policies and EULAs, there should be a way out. And, it should be a method that facilitates the user, doesn’t trick them into giving up sensitive data, and clearly defines how will firms use their data.

While talking to Hypponen, he puts forth an easy proposition that can resolve several issues with privacy policies and legal documents, “If companies behave responsibly, there is no reason why they couldn’t summarize the legal jargon into a few sentences in plain language.”

There are web-based services that summarize EULAs and privacy policies of different companies. Terms of Service; Didn’t Read is one of these services that rates and points out the positive and negative aspects of TOS of different tech firms. Likewise, TLDRLegal is another website that summarizes software licenses, EULA’s, TOS, and privacy policy of numerous web services.

Therefore, tech firms now have to work even harder to layout their privacy policies in simpler language and make them more transparent. This issue becomes more critical as we move into an era where our reliance on digital platform intensifies and internet of things kicks into effect.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with